-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] aws_snapshot_create_volume_permission #9891
[WIP] aws_snapshot_create_volume_permission #9891
Conversation
This adds the new resource aws_snapshot_create_volume_permission which manages the createVolumePermission attribute of snapshots. This allows granting an AWS account permissions to create a volume from a particular snapshot. This is often required to allow another account to copy a private AMI.
Confirmed this works for both create and destroy, but it takes some time for the change to propagate AWS side. |
I added a wait with a 5 minute timeout which resolves the propagation issue. The average wait seems to be around 2 minutes for my testing on us-west-2. |
This adds up to a 5 minute wait after issuing an add or remove request to adjust a snapshot's createVolumePermission attribute.
4c09db1
to
28f0b20
Compare
Hey @jeremy-asher – thanks for the contribution! In #10017 we added a resource for EBS snapshots, I was thinking we could bundle it with the
What do you think? |
@catsby for my purposes, this needs to be its own resource, similar to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to see the READ
method patched up here, and I have a question about supporting multiple accounts here
} | ||
|
||
func resourceAwsSnapshotCreateVolumePermissionRead(d *schema.ResourceData, meta interface{}) error { | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably call conn.DescribeSnapshotAttribute
here and verify that the account ID we expect is still in the list of permissions. If not, we should remove this resource from state with d.SetId("")
, that way if someone modifies the snapshot permissions outside of Terraform, we can detect that drift and offer to repair it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, just noticed you implemented the Exists
method, ignore this comment!
Required: true, | ||
ForceNew: true, | ||
}, | ||
"account_id": &schema.Schema{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think we should have this as account_ids
and support a set of IDs, instead of a single 1:1 relationship?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about that a bit. I agree that it would be nice to supply multiple IDs at once, but I opted to keep this similar to the aws_ami_launch_permission resource. I don't mind changing it if you prefer.
That's totally fair and reasonable. I can imagine my idea landing in |
I have an open question about support for multiple account ids instead of just a 1:1, and also we'll need documentation for this but I can work that out I suppose. |
I'm happy to do docs on this as well. I mainly posted this in its current state to get feedback on the issues I called out in the description. As is, it's not really possible to use this resource in terraform without supplying a snapshot id as a variable directly. This is undesirable for most interesting use cases involving AMI sharing since the snapshot is not available directly. |
@jeremy-asher if you're willing to contribute the docs, I'm happy to merge this as is. If we decide to support multiple account ids in the future we can change it by adding a new field. Thanks! |
@jeremy-asher thinking on it, I'm happy to just do the docs myself right now, you've already done plenty and I shouldn't have asked more of you. Hopefully you haven't started, but let me know, otherwise I'll get on that 😄 |
@catsby either way, though like I said, this currently doesn't fix the problem I opened it to solve. I don't think there's any modifications to the PR to be made to address that other than the tests. I could modify the tests to do something less practical, but they don't currently work. |
provider/aws: Add aws_snapshot_create_volume_permission resource (contd. #9891)
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Note: this is almost a direct copy of aws_ami_launch_permission since the API is almost identical for this functionality.
This adds the new resource aws_snapshot_create_volume_permission which manages the createVolumePermission attribute of snapshots. This allows granting an AWS account permissions to create a volume from a particular snapshot. This is often required to allow another account to copy a private AMI.
There's a few outstanding issues I could use some help with:
there's a bug which is causing the AWS API call to succeed, but no create volume permission modifications to occurIt turns out this is just really slow to update. Resolved with a wait.Here's some example code for testing things out. The snapshot_id has to be provided as an input after the copy completes.